Re: [leaf-user] iptables errors when trying to Shorewall traffic shape with ipp2p

Thu, 11 May 2006 16:33:44 -0700 

> > > On 5/11/06, Tom Eastep <[EMAIL PROTECTED]> wrote:
> > Then you will have to use firewall mark classifiers rather than the
> > CLASSIFY target directly.
> >
> > As described in the Shorewall web-site documentation of the
> > MARK/CLASSIFY column, when you enter <number>:<number>, you are
> > specifying a class directly (first number is the entry number in
> > /etc/shorewall/tcdevices, and the second number is 100+<mark value>). So
> > rather than do that, you simply need to specify the appropriate mark
> > value in this column.
> >
> > Hope this helps,
> >
> > -Tom

I made the (probably obvious) improvement to the following:

# yet another another modified version
RESTORE:F   -           -               tcp
CONTINUE:F  -           -               tcp     -       -       -       !0
1:F         -           -               ipp2p   ipp2p
SAVE:F      -           -               tcp     -       -       -       1
50          -           -               -       -       -       -       1

This doesn't use eth0 or eth1, so it will load OK and not cause the
prerouting error.

Now, that said, I'm still not getting traffic into class 50, it's
ending up in class 30:

# tc -s -d qdisc output (edited)

qdisc sfq 130: dev eth0 parent 1:130 quantum 1514b limit 128p flows
128/1024 perturb 10sec
 Sent 24714841 bytes 21598 pkts (dropped 0, overlimits 0)
 backlog 2p

qdisc sfq 150: dev eth0 parent 1:150 quantum 1514b limit 128p flows
128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

Perhaps most frustrating, I'm seeing the connections are apparently
being marked (!) perhaps even somewhat correctly... hard to tell for
sure without doing more analysis:

# shorewall show connections (edited)

tcp      6 431477 ESTABLISHED src=10.11.0.2 dst=72.57.174.179
sport=2590 dport=16881 src=xx.xx.xx.xx dst=216.162.194.13 sport=16881
dport=2590 [ASSURED] use=1 mark=1

I see 22 connections with mark=1 right now, and 7 with mark=0 right
now... and I suspect that if all 22 mark=1 connections were being set
to class 50, the system would be behaving as I'd like.

-- Bob


------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Reply via email to